The infection starts with a Trojan named Trojan.Droidpak. It drops a malicious DLL (also detected as Trojan.Droidpak) and registers it as a system service. This DLL then downloads a configuration file from a remote server. It then parses the configuration file in order to download a malicious APK to the compromised computer. The DLL may also download necessary tools such as Android Debug Bridge (ADB).
Next, it installs ADB and uses a command shown to install the malicious APK to any Android devices connected to the compromised computer. Liu says that installation is attempted repeatedly in order to ensure a mobile device is infected when connected. Successful installation also requires the USB debugging Mode is enabled on the Android device.
USB debugging is a setting normally used by Android developers, but it's also required for some operations that are not directly related to development, like rooting the OS, taking screen captures on devices running old Android versions or installing custom Android firmware.
However, the malicious APK actually looks for certain Korean online banking applications on the compromised device and, if found, prompts users to delete them and install malicious versions. The malware also intercepts SMS messages on the compromised device and sends them to a remote server.
Liu advised users to turn off the USB debugging feature on their Android devices when not it's not needed and to be wary of connecting their mobile devices to computers they don't trust.